Environment data structure in Consul/Vault

By default, Vault and Consul are supported for storing sensitive key-value pairs for our Docker configurations. To use Consul/Vault, set CONFIGURE_MODE to Vault. When you start a Docker container, startup scripts tries to fetch environment-related data from Vault.

For example, we can have a Tenant to represent your company (such as MyCompany), EnvironmentName (such as Non-production), and EnvironmentType (such as auth).


Key-value data structure in Consul/Vault

The key-value data on Consul/Vault is stored like a tree structure. We can fetch the key-value data through the following path:http://VaultIP:Port/v1/<Tenant>/EnvironmentName/EnvironmentType/TargetKey. The following table lists all default key-value paths on Consul/Vault. We can also add your key-value paths based on your business requirements and define the custom logic to fetch them.

KeyPath Mandatory/Optional Sample value Comments
Tenant/EnvName/domainName Optional default.svc.cluster.local If no value is specified, the following default value is applied: default.svc.cluster.local
Tenant/EnvName/oidcClientId Optional We need to specify a value to enable IBM ID.
Tenant/EnvName/oidcClientSecret Optional We need to specify a value to enable IBM ID.
Tenant/EnvName/blueIDServer Optional We need to specify a value to enable IBM ID.
Tenant/EnvName/blueIDProviderHost Optional We need to specify a value to enable IBM ID.
Tenant/EnvName/traceSpecification/ts-app Optional To change the trace spec, specify a value.
Tenant/EnvName/traceSpecification/search-app Optional To change the trace spec, specify a value.
Tenant/EnvName/traceSpecification/crs-app Optional To change the trace spec, specify a value.
Tenant/EnvName/traceSpecification/xc-app Optional To change the trace spec, specify a value.
Tenant/EnvName/certs/CertName Optional demo2/qa/certs/demo2qa-test={‘certificate’: ‘asdfadsfadsfads’, ‘destination_host’: ‘adsfadsf’, ‘issuing_ca’: ‘fadsfadsfads’, ‘keystorepass’: ‘adsfadsfads’, ‘private_key’: ‘adsfadsfasd’} We can add third-party certificate records.
Tenant/EnvName/certsBundle Optional demo2/qa/certsBundle={‘crsapp’: ‘demo2qa-testky’, ‘searchapp’: ‘demo2qa-test’, ‘storeapp’: ‘’, ‘tsapp’: ‘demo2qa-test’, ‘tsweb’: ‘’, ‘xcapp’: ‘’} We can create bundled certificates as a sample. When we deploy the environment, the container can detect the bundled certificates and apply them.
Tenant/EnvName/kafkaServers Optional Specify a value to enable ZooKeeper and Kafka.
Tenant/EnvName/zooKeeperServers Optional Specify a value to enable ZooKeeper and Kafka.
Tenant/EnvName/auth/dbHost Mandatory N/A
Tenant/EnvName/auth/dbName Mandatory N/A
Tenant/EnvName/auth/dbPassword Mandatory N/A
Tenant/EnvName/auth/dbPort Mandatory N/A
Tenant/EnvName/auth/dbUser Mandatory N/A

Tenant/EnvName/auth/dbType

Mandatory N/A

Tenant/EnvName/auth/dbaUser

Mandatory for Oracle This value is required for an Oracle database.

Tenant/EnvName/auth/dbaPassEncrypt

Mandatory for Oracle This value is required for an Oracle database.

Tenant/EnvName/auth/dbPassEncrypt

Mandatory for Oracle This value is required for an Oracle database.
Tenant/EnvName/auth/dbSSLEnable Optional true|false N/A
Tenant/EnvName/auth/dbXA Optional true|false N/A
Tenant/EnvName/auth/merchantKeyEncrypte Mandatory N/A
Tenant/EnvName/auth/spiUserName Mandatory N/A
Tenant/EnvName/auth/searchPort Optional Specify a value to reset searchPort, instead of using the default value.
Tenant/EnvName/auth/searchMasterHost Optional Specify a value to reset searchMasterHost, instead of using the default value.
Tenant/EnvName/auth/searchSlaveHost Optional Specify a value to reset searchSlaveHost, instead of using the default value.
Tenant/EnvName/auth/searchRepeaterHost Optional Specify a value to reset searchRepeaterHost, instead of using the default value.
Tenant/EnvName/auth/storeHost Optional Specify a value to reset storeHost, instead of using the default value.
Tenant/EnvName/auth/storePort Optional Specify a value to reset storePort, instead of using the default value.
Tenant/EnvName/auth/storeWebPort Optional Specify a value to reset storeWebPort, instead of using the default value.
Tenant/EnvName/auth/xcHost Optional Specify a value to reset xcHost, instead of using the default value.
Tenant/EnvName/auth/xcPort Optional Specify a value to reset xcPort, instead of using the default value.
Tenant/EnvName/auth/kafkaTopicPrefix Optional ${TENANT}${ENVIRONMENT}${ENVTYPE} Specify a value to config ZooKeeper and Kafka. If no value is specified, the following default value is applied: ${TENANT}${ENVIRONMENT}${ENVTYPE}
Tenant/EnvName/auth/healthCenterEnable Optional Specify value to enable healthCenter.
N/A
Tenant/EnvName/live/dbHost Mandatory N/A
Tenant/EnvName/live/dbName Mandatory N/A
Tenant/EnvName/live/dbPassword Mandatory N/A
Tenant/EnvName/live/dbPort Mandatory N/A
Tenant/EnvName/live/dbUser Mandatory N/A
Tenant/EnvName/live/dbType Mandatory N/A

Tenant/EnvName/live/dbaUser

Mandatory for Oracle This value is required for an Oracle database.

Tenant/EnvName/live/dbaPassEncrypt

Mandatory for Oracle This value is required for an Oracle database.

Tenant/EnvName/live/dbPassEncrypt

Mandatory for Oracle This value is required for an Oracle database.
Tenant/EnvName/live/dbSSLEnable Optional true|false N/A
Tenant/EnvName/live/dbXA Optional true|false N/A
Tenant/EnvName/live/merchantKeyEncrypte Mandatory N/A
Tenant/EnvName/live/spiUserName Mandatory N/A
Tenant/EnvName/live/spiUserPwd Mandatory N/A
Tenant/EnvName/live/searchPort Optional Specify a value to reset searchPort, instead of using the default value.
Tenant/EnvName/live/searchMasterHost Optional Specify a value to reset searchMasterHost, instead of using the default value.
Tenant/EnvName/live/searchSlaveHost Optional Specify a value to reset searchSlaveHost, instead of using the default value.
Tenant/EnvName/live/searchRepeaterHost Optional Specify a value to reset searchRepeaterHost, instead of using the default value.
Tenant/EnvName/live/storeHost Optional Specify a value to reset storeHost, instead of using the default value.
Tenant/EnvName/live/storePort Optional Specify a value to reset storePort, instead of using the default value.
Tenant/EnvName/live/storeWebPort Optional Specify a value to reset storeWebPort, instead of using the default value.
Tenant/EnvName/live/xcHost Optional Specify a value to reset xcHost, instead of using the default value.
Tenant/EnvName/live/xcPort Optional Specify a value to reset xcPort, instead of using the default value.
Tenant/EnvName/live/kafkaTopicPrefix Optional ${TENANT}${ENVIRONMENT}${ENVTYPE} If no value is specified, the following default value is applied: ${TENANT}${ENVIRONMENT}${ENVTYPE}
Tenant/EnvName/live/healthCenterEnable Optional Specify a value to enable healthCenter.


Storing key-value pairs in Vault

To set up Vault, see the Vault website. When you have a Vault ready for use, we can complete the following steps to store and retrieve key-value pairs.

  1. Create a mount point based on the {Tenant}.For example,

      init_json='json_data={"type":"generic","description":"description","config":{"max_lease_ttl":"876000"}}'
      header="X-Vault-Token:<VAULT_TOKEN>"

      curl -X POST -H $header -H "Content-Type:application/json" -d '{"type":"generic","description":"description","config":{"max_lease_ttl":"876000"}}' http://<Vault-IP-Address:VaultPort/v1/sys/mounts/Tenant

  2. Store key-value pair data using the following command.

      curl -X POST -H "X-Vault-Token:<vault_token>" -d '{"value":"<theValue>"}' http://<Vault-IP-Address:VaultPort/v1/Tenant/EnvironmentName/EnviromentType/TargetKey

    For example, to store the value "mall" for a key name "dbName" under path MyCompany/Non-production/auth/dbName:

      curl -X POST -H "X-Vault-Token:7f47efbb-b162-619b-0ced-448079d91b77" -d '{"value":"mall"}' http://myhostname.com:8200/v1/MyCompany/Non-production/auth/dbName

  3. Retrieve data using the following command.

      curl -X GET -H "X-Vault-Token:<VAULT_TOKEN>" http://<Vault-IP-Address:VaultPort/v1/Tenant/EnvironmentName/EnviromentType/TargetKey | jq -r .data.value


Related tasks
Accessing Docker image Help


Related reference
Manage certificates manually
Manage certificates with Vault


Related information:

Implement a continuous deployment pipeline for WebSphere Commerce Version 9